Ok.. so I want to download hijakthis to have an in depth report for you all to look at. But... due to the very issue I am needing your help resolving, I am unable to open the link to download it or any link in most web pages. Sometimes I don't even have the link available to select. Not only that, but I can't do a system restore nor can I update to Service Pack 2 for XP. Some general info on my OS & other whatnots are: I run AVG 7.5 & SpyBot Search & Destroy 1.4 & have XP Prof 2002.
Although I run the programs and it says i'm good to go, I noticed I have WinAntiSpy still lurking in my docs & settins (C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data).
Is this my problem? Or am worse off than I thought?
I'm at a loss. I would like to avoid the wipe & reinstall of Windows.
Any suggestions?
Recommended Answers
Jump to PostI love fooling round in the dark. Lessee, try this:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and …
Jump to Postdragonflei... that fixwareout log is fine, pity about the pandascan... Do you have another browser, like Firefox or Opera? It would be nice to know if they work with links.
Btw, you could just delete that Winantispyware file, and any others you see.
Try to enter Safe mode and see …
Jump to PostIf the Safe mode with Networking option does not allow you to use links etc then it would have to be a deepseated piece of malware that is being problematic, or else a corruption of your sys..
All 11 Replies
I love fooling round in the dark. Lessee, try this:
==Download fixwareout from http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe - and save it to your desktop.
Double click Fixwareout.exe to start the Fixwareout Setup Wizard, click next and then install. Ensure that Run fixit is checked, and click on Finish. After the fix follow the prompts. You will be asked to reboot your computer, and it may take longer than usual to load - this is normal.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs]
Panda Online Scan:
==Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
NOTE!! If you cannot open that first link above, copy or paste this URL into your browser:
xxxx://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
-because of the way in which this site is coded to recognise and script links I have replaced the http with x's -you will have to put back the http..!!
-running this will not do any harm even if you don't have malware, but it includes a couple of nifty tricks that may help...
Here is the report fromthe 1st item "fixwareout.exe" I will post more as i complete the tasks....
Username "Crystal" - 08/19/2007 19:23:39 [Fixwareout edited 2007/07/05]
»»»»»Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Isn't this a hoot!! I can't do the online scan at pandascan. I have the link available but am unable to select it. I tried to add it to my google tool bar and got "The custom button cannot be installed. Reference to undefined entity 'nbsp'. (line 73 column 770). http://www.pandasoftware.es/productos/activescan/panda.xml"
<sigh>
dragonflei... that fixwareout log is fine, pity about the pandascan... Do you have another browser, like Firefox or Opera? It would be nice to know if they work with links.
Btw, you could just delete that Winantispyware file, and any others you see.
Try to enter Safe mode and see if System Restore works from there - you are given the option just before actual safe mode starts. No? Then inside Safe mode is LKG [last known good config..] but I doubt that will solve things.
You could run System File Checker because it does sound like some of your sys files are corrupted - you go Start, run and type:
sfc /scannow -and press Enter.
If it turns out to be file and registry corruption then I cannot think of another option but to run Windows Repair via Setup if you have the installation CD. You won't lose your data files or software applications and their settings, but if possible via Safe Mode you should copy out your really important files..
I dont have another browser and have tried to install firefox & opera but again, the links are to download are there but when I click them, it loops me back to the download button.
I have tried to do a system restore in safe & normal modes but...lol...the screen is blank. No options, choices, etc.. i will try the safe mode method again since I did the other fixes last night. Fingers crossed it made some sort of difference.
I will let you know what happens....
If the Safe mode with Networking option does not allow you to use links etc then it would have to be a deepseated piece of malware that is being problematic, or else a corruption of your sys..
So, I was able to download Opera, then got Firefox through there. I still can't do PandaScan as it requires Internet Explorer...BUT... I was able to get a HiJackThis report for you!! <woo-hoo>:
Logfile of HijackThis v1.99.1
Scan saved at 9:12:58 PM, on 8/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Crystal\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {A84033D9-A008-461C-A9D6-7E7250B7912C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C4F9A2C4-4D8B-4A69-AE10-C35D3B313C01} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: ddcaa - C:\WINDOWS\System32\ddcaa.dll (file missing)
O20 - Winlogon Notify: iifeecd - iifeecd.dll (file missing)
O20 - Winlogon Notify: tustq - C:\WINDOWS\System32\tustq.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
Only old traces of malware in that log. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A84033D9-A008-461C-A9D6-7E7250B7912C} - (no file)
O2 - BHO: (no name) - {C4F9A2C4-4D8B-4A69-AE10-C35D3B313C01} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - (no file)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O20 - Winlogon Notify: ddcaa - C:\WINDOWS\System32\ddcaa.dll (file missing)
O20 - Winlogon Notify: iifeecd - iifeecd.dll (file missing)
O20 - Winlogon Notify: tustq - C:\WINDOWS\System32\tustq.dll (file missing)
These next are dependant upon you; the two O9's link you to a webpage that connects you to an MSN Alexis search engine - your choice, you may use it, I don't know. It's not a problem.
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
These downloads will fit on a couple of floppies, or a thumdrive... copy into the pc.
I can see that you had a vundo infection, and I do not know how you removed it... so we may as well check this. Please rename hijackthis.exe to imabunny.exe - this is important.
==Please download VundoFix.exe to your desktop from http://www.atribune.org/ccount/click.php?id=4
=Restart your system in Safe Mode.
Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
When the scan completes click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files - click YES
Your desktop will then go blank as the process of removing Vundo starts.
When completed it will prompt that it will restart your computer - click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
!! Check the Vundofix log for any found files that were not deleted - if present rerun Vundofix !!
==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt, C:\vundofix.txt along with the log of a fresh hijackthis scan run in normal mode.
One day you should go through the business of installing SP2...... just borrow someone's XP installation CD [use your own numbers!] or get one free from your local friendly computer shop....
Logfile of HijackThis v1.99.1
Scan saved at 8:32:24 AM, on 9/1/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Crystal\Desktop\hijack this\imabunny.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
*** I did the Vundo thing and found no files. I also tried to find the SDFix at http://downloads.andymanchesta.com/RemovalTools/SDFix.exe but there was no fix in there...or...I just did not see it. I opened every link he had in every category but did find it. I still do not have the ability to do a system restore in safe or normal modes, cannot open Windows Media Player ( I get an internal application error), and links in I.E. are still inaccessible which prevent me from upgrading certain components like I.E. to v. 7, or installing needed updates. Have I come to the end of my road? Or, is there another fix we can try before you tell me to reinstall Windows??
Hi, dragonflei, if you used that SDFix link in FF it should have prompted you immediately if you wished to accept the download - that is the actual dl site, button pressed, ready to go URL. You won't find SDFix on any other link in that site.
But now, having seen your hijackthis log at last, there is no need to run it, so please don't - the log shows clean. I do not know how you removed Winantispyware but it is not running; if you still have traces of it in your sys tha you wish to remove then one of the best tools for it is this one:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
I suspect that something with your IE browser is corrupted, if the problem was merely something like a security setting you would be prompted when you attempted a something which was blocked. May I suggest this: go start, run, type:
sfc /scannow -and press Enter. You may be prompted to insert your installation CD - this runs Windows file protection system which will replace any faulty files in your system cache.
And if still will not work, then IEFIX from this site will reregister IE [fix the relevant entries in your registry] as well as replace all the IE sys files using those from your installation CD [you will need that CD for a successful run]...
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.